Authentication + Mobile Phone = Password Killer

Can the smartphone free us from the drudgery of the much-despised password? There's good reason to hope.

It is arguably the Internet's most common problem: how to simplify authentication. The much-abused password is still the most prevalent way we identify ourselves -- via mobile devices and otherwise. But it's definitely showing its age.

Passwords were introduced to modern computing nearly 50 years ago. Their initial purpose was to control access to key functions on mainframe computers, and they've remained a constant up through the present day. The reason for this -- surprising as it seems -- is because, at some level, they work.

They are also the lowest common security denominator for the online places we regularly visit. We've all been trained by banks, credit card companies, Internet service providers, and social media sites to construct passwords or phrases of varying levels of complexity, often accompanied by additional questions to verify our memorable dates, secret words, mother's dog's maiden name, and the rest.

Passwords are the problem

The problem is that passwords can no longer scale. It's become impossible to create memorable, strong, unique passwords for the broad range of sites with which we interact, so we don't. Instead, we rely on one or a small number of strongish passwords to suit the unique and maddeningly complex rules created by websites that seem to want to make it extremely difficult to consume services and buy products.

It’s not just users who are frustrated. Though companies are eager to make authentication as streamlined as possible, commercial security tools seem to create as many problems as they purport to solve. They add costs such as hardware tokens, create steps for users, invade privacy, and could compromise the solution's security profile.

Worse, if the weakest point in a web infrastructure is the password, then there is considerable benefit in hacking these large-scale password databases. The list of compromised passwords is endless -- from LinkedIn, Yahoo, Evernote, Sony, and many more. Criminals know that, if they have your username and password from one site, there's a better than good chance it will work across other sites. The online banking account, email provider, or any other sites that you allow to build an identity for you will soon wish they didn't have it.

What's the answer? Many of you probably have had some experience with two-factor or multifactor authentication, a security technique recently adopted by Twitter, DropBox, Gmail, and others with some success. The problem with two-factor identification is that it doesn’t scale -- and for the same reason people can't be expected to recall 20-30 unique passwords. Who can remember to carry a hardware token with them all the time to log in to the dozens of sites they regularly visit?

Smartphones to the rescue

But here's the good news. Today we all carry a mobile phone. Increasingly, in the United States and Western Europe at least, this device is likely to be a smartphone. What these devices offer is a range of ways to strongly authenticate ourselves to both the local device and to the Internet services we want to access. A good example of this is the latest Apple iPhone. We now have a fingerprint sensor (Touch ID) in a mass-market smartphone.

This is not just about fingerprint sensors, though industry reports state that Tier 1 device manufacturers will have this feature by the end of 2014. It is about everything else that is present in smartphones. You have increasingly powerful cameras and microphones supporting voice and face recognition. You also have a range of additional capabilities -- GPS, for instance -- that can be used as part of the authentication process to determine if the user is in a normal location.

Last, but not least, is the fact that most device manufacturers have invested in secure elements and trusted execution environments. These are hardware- and software-based secure storage areas and operating systems that allow the secure creation and storage of a credential of the device. An example of this would be the TrustZone® architecture from ARM. These allow us to give a smartphone a similar level of trust as a smart card, which is crucial in meeting the business risk of payment services providers, insurance companies, and government agencies.

With all these advantages, freedom from password drudgery is no longer an impossible dream. Let's chat about how to make this vision of a secure and simple web authentication process our new reality.

SecurID and others created soft tokens for smartphones so you wouldn't have to carry around a physical token. But there are lots of other ways a smart phone can create adaptive security measures. Using the GPS, it knows where you are and so geolocation can be added as a double check. You're in your office? No need to enhance security. Trying to access material from outside the country? Hmm maybe we need to challenge you some more.

The password dilemma is seen in every industry, and has been growing in the healthcare industry with the rapid adoption of electronic health records and other technologies that deal with sensitive data and patient information. There's pushback from physicians who don't want to be required to enter multiple passwords for different systems. I can see the touch ID method as a viable option in the healthcare industry as so many docs move from desktops to mobile platforms (BYOD, etc.).

This is of course the route to go, using the mobile device as the "password killer".

Here is an example of very good implementation.

A year ago mobile bankID was launched in Sweden and it's already a big success. More and more services, especially financial (like mobile banking/insurance) and governmental/municipal services (like tax services) are using mobile bankID for authentication.

Success factors: it's very easy to use (easier than banks hardware tokens), it's very fast and it's of course very secure, banks in Sweden says it's even more secure than the special hardware tokens...

I love the idea of smartphone as password too, except the GPS bit scares me a bit. We already get those calls from the bank when we travel and try to do debit card purchases in an unusual locale. That's a tricky balance: you don't want someone raiding your account but you want the ATM card to work on that quick trip. Are password / ID calls next?

This is a real dog of an idea. Well, FIDO, to be precise. The FIDO Alliance wants to eliminate passwords thru mobile/smartphone technology. With members like Google, MasterCard, PayPal and dozens more they've got a good chance of pulling this off.

Killing passwords is a dream for me. All of us use dozens of websites and apps every week, each requiring its own password and user name. I don't consider the stack of legal sheets and scrap paper covered with my various user names and passwords (of course with the site name) to meet even the basic standard for infosecurity. So, anything that the mobile phone can do to eliminate passwords gets my vote.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.